For the external IdP (aka CAMS), we will offer Kerberos as an alternate ID authentication option, via HTTP/SPNEGO.
This turned out to be a bit trickier than anticipated, as the use of the Apache mod_auth_kerb module to protect the SPNEGO authentication location interacts poorly with the use of an AJP connector (i.e. using mod_jk or mod_proxy_ajp) to pass shibboleth-idp requests to Tomcat. Specifically, the introduction of an "ErrorDocument 401" directive for the protected location, with the target URL behind the AJP connector, breaks the server's "Negotiate" response, as the request forwarding by the connector apparently overrides that. The upshot is that authentication always fails when the ErrorDocument URL is handled by the container (e.g. our login jsp), as we would prefer, instead of Apache. (We require an ErrorDocument handler, as otherwise the user will just get the standard browser auth error page).
To resolve this, the easiest solution, though a hack, was to implement a CGI script as the error handler; the script simply does a refresh to the "real" error handler, i.e. our login jsp, with an appropriate error code. (It must use refresh, not redirect, as the latter presents the same problem as forwarding through the connector). I don't believe there is a viable alternative to such a hack, unless we don't use mod_auth_kerb, and instead implement SPNEGO support in servlet code; besides being substantially more work, that might present other issues, as it would require upgrading to Java 6, which is not recommended for Shibboleth IdP 1.3. Variations on the hack are possible, e.g. using PHP instead of CGI, as long as they are Apache-based, not servlet-based. I chose CGI because I am more familiar with it, it is easier to configure, and I was wary of dealing with potential issues with combining PHP and the Shibboleth SP modules (the external IdP will also run the Shibboleth SP module, to protect the account management application).